I believe my router is infected with a virus. If it is, it has been infected for a large period of time (perhaps a year or more). Though, I only started to consider it being a virus around a week ago.

I forgot my password to the router in question and can't connect to it. I suppose there is a chance that if it's infected, the virus may have changed the password. I've heard that viruses on the routers are stored in RAM and that changing the administrator password after a restart might help, but I've also heard there are viruses that remain after a restart and start requesting their home for a payload.

I want to get rid of this virus completely, but before that I'd like to figure out where it came from (possibly by tracing it's signals) and what it does. What would be a way to go about doing this?

If it will request home for a payload (after restart) there is a chance that I could somehow monitor where it's trying to connect, but there is also a chance that the virus might be removed or start sleeping etc., then I won't be able to find it.

So how is it possible to gather as much information about the virus (where it came from and what it does) as possible?
How can I remove it completely (without it coming back after a restart)?

I have provided some information from an Intense Scan with NMap, which scanned all TCP Ports (I have only posted the information that can be useful).

Why do you think there is a virus on your router? What symptoms are you seeing which it causes?
– MatthewAug 28 '18 at 8:46

@Matthew As, I have mentioned in my post - a strange open port with rtsp + some applications on my phone say that the network isnt secure and has strange activity on it (yet only my phone was on the network at that time and it has no viruses) + google asks for robot/human checks all the time. It gets automated signals, but they come not from the devices within the network.
– MeeAug 28 '18 at 9:08

@Matthew I have now added this info to the post
– MeeAug 28 '18 at 9:17

Some routers come with media streaming built in - seems an odd port to use, but not impossible - and Google asking for robot/human checks all the time seems pretty normal, and can be down to things like blocking cookies in the browser - I have clicked on more road signs than I can count. What applications are saying that the network is insecure?
– MatthewAug 28 '18 at 9:20

@Matthew Banking application. It allows to connect to your bank account and manage it. When I tried to log in, it alerted, that the network isnt secure, and that it cannot allow for the connection to be established.
– MeeAug 28 '18 at 9:31

2 Answers
2

I would start by trying to protect the router. According to Speednet.com, VPNFilter is a new type of malware designed specifically to target internet routers. It’s capable of collecting communication information from your router, attacking other computers, and destroying your device remotely. According to Cisco, the malware has already infected over 500,000 routers around the world.

Not all routers are susceptible to VPNFilter, but a few of the major brands are at risk.
The easiest (and currently, the only) way to fully remove VPNFilter is to do a factory reset. Typically, that involves pressing down the power button for 5-10 seconds, but you may want to double check based for your specific router model.

If you don’t want to do a full factory reset (which can clear important data from the device), you can also simply reboot your router. This won’t kill VPNFilter entirely, but it will drop the malware back to its initial stage and buy you some time.
Once you’ve wiped your router, there are few ways to keep yourself protected moving forward.

First, make sure you’re running the latest firmware by logging into your router account in an internet browser and checking for updates. You should also change the admin password for an extra layer of protection.

Finally, make sure that remote management is turned off. This will block hackers from controlling your router without your permission. That should keep you safe from any future malware attacks as well.
As far as seeing what is happening with virus, this would help. When troubleshooting unknown open ports, it is useful to find exactly what services/processes are listening to them. This can be accomplished in both Windows command prompt and Linux variants using the "netstat -aon" command.

RTSP is the real time streaming protocol. But the header clearly says UPnP, so my guess is that nmap misidentified the service running. Most consumer routers support UPnP.

some applications on my phone say that the network is not secure and has strange activity on it (yet only my phone was on the network at that time and it has no viruses that I am aware of);

What exactly does the app say? Is the network secured with for instance WPA2, or only WEP or even no security? Have you installed any third party certificates on your phone? Which app tells you this?

I would not place a lot of faith in what a smart phone app tells you.

google asks for robot/human checks all the time. It gets automated signals, but they don't appear to be coming from the devices within the network;

Which external IP does the router have? If you have an ISP that does Carrier Grade NAT or proxying of HTTP requests, or use a VPN, google may challenge you with those checks. This indicates many requests, which may or may not be due to malware. It's not a strong indicator of malware in my opinion.

my social network account was hacked about a week or two ago. I have restored access to it.

Facebook uses https and have preloaded HSTS in all major browsers. Malware on the router level will not be able to intercept such traffic, without placing a third party certificate in your OS' root certificate store.

In short; Your router may have malware, but the reasons you give is not really convincing to me, and I would look into and try to understand each of the points before jumping to conclusions, as you do.

Thank you for your answer. 1. If you would read the comments above, you would see, that I have described the application, which was triggering the alert and what it said. It was a banking application. The level of security it excpects is out of doubt. 2. The network is secured with WPA2.
– MeeAug 29 '18 at 6:05

3. It is better to listen to people, who say be vigilant in every situation and excepct the worst, then to those who say, that everything is fine, and no actions are required. The first ones solve the problems, while the rest get into trouble. That being said, your answer does not help to resolve the problem. (When it comes to security, it is even better to consider a device to be infected, even if no reasons exist. Just checking or reseting it time to time.)
– MeeAug 29 '18 at 6:08

@Mee Stating it's a banking app essentially gives us zero new information. Any sane banking app would not care about network security anyway, but use TLS to ensure that a secure channel can be established over a insecure network.
– vidarloAug 29 '18 at 6:10

@mee and for your second point; being vigilant is a good thing. But focusing on the wrong things may make your overall security worse. My answer does not answer your question, because I believe your question is fundamentally flawed. None of the things you list is indicating any malware, and I give reasons why.
– vidarloAug 29 '18 at 6:12